Marshmallow: Nested excludes get overwritten

Created on 25 Jan 2018  ·  8Comments  ·  Source: marshmallow-code/marshmallow

It seems whenever an parent level exclude is specified with dot notation, the child field level excludes are overwritten. It would be great if they could be concatenated.

Here's an example:

from marshmallow import fields, Schema

class FooChildSchema(Schema):
    boo = fields.String()
    far = fields.String()
    faz = fields.String()

class FooSchema(Schema):
    foo = fields.String()
    bar = fields.String()
    baz = fields.String()
    child = fields.Nested(FooChildSchema, exclude=('boo',))

obj = {
    'foo': 'foo',
    'bar': 'bar',
    'baz': 'baz',
    'child': {
        'boo': 'boo',
        'far': 'far',
        'faz': 'faz',
    },
}

serialized = FooSchema(exclude=('foo', 'child.faz')).dump(obj).data
print(serialized)

I expect :

{'child': {'far': 'far'}, 'baz': 'baz', 'bar': 'bar'}

instead, I get:

{'child': {'far': 'far', 'boo': 'boo'}, 'baz': 'baz', 'bar': 'bar'}
bug
Source
picture timc13
👍3

Most helpful comment

I will pick this back up now that #772 is fixed. Thanks @lafrech.

picture deckar01 on 26 Apr 2018
👍2

All 8 comments

is this expected behavior? Do we want nesting to include parent excludes ?

timc13 picture timc13 on 30 Jan 2018

@sloria any thoughts on this?

timc13 picture timc13 on 12 Feb 2018

I also think the child schema should exclude the union of the two exclude parameters. In fact, it should include only the intersection of the only parameters minus the union of the exclude.

Would you like to propose a PR for this?

lafrech picture lafrech on 12 Apr 2018

I will start writing some tests for this issue and see if there are any edge cases that need more discussion. I implemented the offending feature in #468, and it turned out a little more complex than I expected.

deckar01 picture deckar01 on 12 Apr 2018
👍1

I ran into a funky edge case that has security implications. I reported the underlying issue as #772.

class ChildSchema(Schema):
    foo = fields.Field()
    bar = fields.Field()

class ParentSchema(Schema):
    baz = fields.Nested(ChildSchema, only=('bar',))

schema = ParentSchema(only=('baz.foo',))

The result of the intersections of these only options is an empty set, which we treat as disabling the only filter...

This change to only would make it possible to get unfiltered data without explicitly supplying any falsy values to only, so I think #772 needs to be fixed first.

deckar01 picture deckar01 on 13 Apr 2018

Here is a working fix for this issue: https://github.com/marshmallow-code/marshmallow/compare/2.x-line...deckar01:728-only-exclude-inheritance-fix

It has a failing test due to #772.

deckar01 picture deckar01 on 13 Apr 2018

I will pick this back up now that #772 is fixed. Thanks @lafrech.

deckar01 picture deckar01 on 26 Apr 2018
👍2

@deckar01 don't mean to be annoying - but hopefully you havent forgotten about this? :)

timc13 picture timc13 on 8 May 2018
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ambye85 picture ambye85  ·  4Comments
nickretallack picture nickretallack  ·  4Comments
lupodellasleppa picture lupodellasleppa  ·  3Comments
lassandroan picture lassandroan  ·  3Comments
zohuchneg picture zohuchneg  ·  3Comments